RGWCloneMetaLogCoroutine::state_read_shard_status() is calling RGWMetadataLog::get_info_async(), and passing pointers to some of its member variables. RGWMetadataLogInfoCompletion stores these pointers and dereferences them on completion. But nothing appears to be holding a reference on RGWCloneMetaLogCoroutine to do this safely.

Related issues

Copied to rgw - Backport #18613: kraken: multisite: use after free in RGWCloneMetaLogCoroutine::state_read_shard_status()